Health Insurance Company Builds Identity and Access Management Program from Ground Up

About the company

Closely connected to the community it serves, a health insurance company is committed to improving the lives of its more than 700,000 members. Technology plays an important role in fulfilling this commitment. Members can connect to doctors 24/7 through a mobile application, attend online workshops that explain plan options and interact with customer service agents across digital platforms.

Challenge

For the company to be successful, members, employees and third-party contractors must access its more than 300 applications daily. With so many user types and a large application footprint on-premises and in the cloud, the company struggled to identify who had access to what applications. 

This lack of visibility also presented problems when the company needed to restrict access to applications. Without identity and access being a part of its security posture, the company couldn't assure auditors that unauthorized access would be addressed in a timely manner. 

In addition to the company accepting compliance risks, application owners had to spend hours reviewing thousands of lines of entitlements every time an employee or contractor was onboarded or changed positions.

Wanting to close compliance gaps and reduce inefficiencies, the company looked to WWT to help it build an identity and access management program from the ground up. 

Solution

Initially, leadership wanted to implement role-based access (RBAC) across the enterprise. WWT security consultants helped the company understand that in order to do so, they would first need to associate identity with every application in their portfolio. This would serve as the foundation for establishing lifecycle and governance as part of the identity and access management program. 

After interviewing application owners and managers to understand their processes and pain points, our consultants analyzed data from 75 of the company's applications. From that data, they mined user roles, identifying common entitlements between different user types. 

WWT also brought in ServiceNow experts who created escalation emails to managers when the company's security team identified instances of unauthorized access. Once these controls were in place, our security consultants updated compliance documents to satisfy audit requirements. 

Throughout the engagement, our consultants worked with the company's communication department to keep application owners and managers informed of upcoming process changes and how those changes would make their jobs easier. 

Results

The company is well positioned for upcoming compliance audits with defined service level agreements for remediating unauthorized access. Escalation emails are sent to managers as soon as unauthorized access is identified, with access restricted after five days.

The company also has reduced the amount of time application owners spend on access reviews. For the 75 applications that WWT has analyzed and created roles for, managers can now review 30 lines of entitlements versus 10,000 lines of entitlements on average, which has collapsed review time from hours to minutes. 

Pleased with the path it is on, the company continues to further its identity and access management program with WWT. Security consultants now are chipping away at role mining the company's entire application portfolio to achieve role-based access across the enterprise.

WWT is also helping the company implement a new identity and access management technology solution that will complement the process changes now in place. Once implemented, the solution will make it even easier for the company to manage and automate user access.